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NOTICE TO USERS 

Use of this system constitutes consent to security monitoring and testing. 
By using this system, the user consents to any interception, monitoring, 
recording, copying, auditing, inspection, or disclosure at the descretion 
of authorized site or corporate personnel. 

Unauthorized or improper use of this system may result in administrative 
disciplinary action and civil and criminal penalties. By continuing to use this 
system you indicate your awareness of and consent to these terms and 
conditions of use. LOG OFF IMMEDIATELY if you do not agree to the 
conditions stated in the warning. 
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<doc> 

<regexp-query> 

<name>Possible SGID Exploit</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>.*exec args=.*pid=\ ( (\d+) \) ; ppid=\ (\d+\) ; uid-\(\d+\)- euid 
\{\d+\); gid=\{[l-9]\d*\); egid=\(0\).*</line> J ' 
</next> 
<next> 

<line>.*args=\([\-\w\\\/ ]+\); pid=\(\d+\); ppid=\ (%1%\) .*</ii ne > 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args=\( ([\-\w\\\/ ]+)\) . *ppid=\ (%1%\) . *</line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 

</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Possible SGID Exploit: %agg%</text> 
</ annotation 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>Possible SUID Exploit</name> 
<properties> 

<priority>10< /priority> 
</properties> 
<pattern> 

<next> 

<line>.*exec args=. *pid=\ ( (\d+) \) ; ppid=\ (\d+\) ; uid=\{ [1-9] \d*\) ; 
euid=\ (0\) .*</line> 
</next> 
<next> 

<lineX*args=\(.+\); pid=\(\d+\); ppid=\ (%1%\) .*</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args=\{.+)\); pid=\(\d+\); ppid=\ -*</line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 
</action> 

</procmatch> 

<annotation> 

<text>Possible SUID Exploit: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 
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<doc> 

<regexp-query> 

<name>Ml Processes</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>.*proclog.*args-\( ([\-\.\w\\\/ ] +) \) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 



<line>.*args=\{ ([\-\.\w\\\/ 3 +) \) * *</line> 
<action> 

<highlight/> 
<delete/> 

<varop var= ,, agg">%l%</varop> 



</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Process started: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 




<doc> 

<regexp-query> 

<name>Find Processes ... </name> 
<properties> 

<priority>10</priority> 
</properties> 
<args> 

<args>.-K/args> 

<pid>\d+</pid> 

<ppid>\d+</ppid> 

<uid>\d+</uid> 

<euid>\d+</euid> 

<gid>\d+</gid> 

<egid>\d+</egid> 
</args> 
<pattern> 

<next> 

<line>,*args=\(%args%\); pid=\ (%pid%\) ; ppid=\ (%ppid*\) ; 
uid=\{%uid%\) ; euid=\ {%euid%\) ; gid=\ (%gid%\) ; egid=\ { %egid%\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 



<line>.*args=\{ (.+)\); pid. *</line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 



</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Process started: %agg%</text> 
</annotation> 
</ regexp-query> 
</doc> 




<doc> 

<regexp~query> 

<name>All Shell -spawned Processes</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>.*exec args=\ (-sh\) ; pid=\ ( (\d+) \) .*</line> 

</next> 

<next> 

<line>>*args=\({[\-\w\\\/ ]+}\J . *ppid=\ . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. *args=\ { { [\-\w\\\/ ] +) \) . *ppid=\ (%1%\) . *</line> 
<action> 

<highlight/> 

<varop var= H agg">lll</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Executed from a shell: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name> Incoming Connections</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>. * in coming connection from=\ ( . +\) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. ^incoming connection from=\ ((.+}:(.+) \) 
to=\((.-H):(.+)\).*</iine> 
<action> 

<highlight/> 
<delete/> 

<varop var= "fromip ">%!%</ varop> 
<varop var= "fromport">%2K/varop> 
<varop var= "toip">%3%</varop> 
<varop var= "toport">l4%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Incoming Connection From IP: % fromip* (on port: %fromport%) To 
IP: %toip% (on port: %toport%) </text> 

</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name keystrokes Entered</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>.*read stream data, id=\((\d+)\) data=\ ( .+\) . *</line> 
</next> 

<next fromprev="l"> 

<line>.*read stream data, id=\{%14\) data-\ ( . *\\0[ad4] .*\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 



<line>.*read stream data, id=\(H%\) data=\ ( ( . + ) \) . *</line> 
<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 



</action> 

</actionpair> 
</procmatch> 
<annotation> 

<text>Keystrokes Entered: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 




<doc> 

cregexp-query> 

<narae>Screen Output</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 



<next> 

<line>.*write stream data, id=\ ( (\d+) \) data=A ( .+\) . *</line> 
</next> 

<next fromprev="l"> 

<line>. *write stream data, id=\(%l%\) 



<line>.*write stream data, id=A(%l*\) data=\ ( ( .+) \) . *</line> 
<action> 

<highlight/> 
<delete/> 

<varop var="agg rr >%l%</varop> 
</action> 



</actionpair> 
</procmatch> 
cannot at ion> 

<text>Output to screen: %agg%</text> 
</annotation> 
</ regexp-query> 



data=\ { . *\\0 [ad4 6] . *\) - *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 



</doc> 




<doc> 

<regexp~query> 

<name>Find Monitored</name> 
<properties> 

<priority>10</priority> 
</properties> 
<args> 

<filejiame>. +</file_name> 

<pid>\d+</pid> 
</args> 
<pattern> 

<next> 

<line>. *monitored file opened name=\ [%f ile_name%\} 
pid=\(%pid%\) .*</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. ^monitored file opened name=\ ( ( .+) \) 
pid=\((.+)\) .*</line> 

<action> 

<highlight/> 
<delete/> 

<varop var=" f ilename">%l%</varop> 
<varop var="pidvar">%2%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>File Opened: %filename% (from pid: %pidvar%) </text> 
</annotation> 
</ regexp-query> 
</doc> 



